Such as defining a package for a set of policies like "shared-libs", and then when writing the policy putting "import shared-libs" or something like that?
Is this too much complex to do?
Marcelo.
2008/2/22, Daniel J Walsh <dwalsh@xxxxxxxxxx>:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Bill Nottingham wrote:
> I was writing policy today, and I couldn't help notice a lot of
> repetitiveness in our policy:
>
> libs_use_ld_so(...)
> libs_use_shared_libs(...)
>
> These are needed by, well, everything. Can't they be assumed-unless-denied?
>
> Similarly, 99% of confined apps need:
>
> miscfiles_read_localization()
> files_read_etc_files(.)
> pipes & stream sockets
>
> Is there a way to streamline policy so there is a lot less
> repetition?
>
> Bill
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
We have talked about this in the past, and so far it has not gone
anywhere. The original goal when refpolicy policy was first written was
to allow more fine grained control then the example policy, which
grouped large amounts of access rules within a single macro.
(can_network) for example. So we wanted to avoid this, and perhaps the
pendulum swung too far to the opposite degree.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAke+0oIACgkQrlYvE4MpobPd5gCfYpoWTHLDhsCf1Ae1oTQFv4dA
AukAn0voXayQTmjDZm+AvEWoFyU2n/Rz
=sl9z
-----END PGP SIGNATURE-----
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list